Hijacked on searches!!.....

Ok...I'm going nuts again, and could use some help. I went to a website, which promptly installed a Trojan virus. I knew this, because my system started crashing hard. I immediatly killed the wireless connection, and ran my AV. It caught 3 virii, and removed them. I also ran Ad-Aware, and Spy-Bot, which both found a few things, and removed them. I then ran HiJack This, but it did not find anything out of the ordinary. Everything seems to be ok until... If I type something into any search engine, and then try follow a link it almost always redirects to somewhere else, and occasionally spawns a new IE window. This is obviously very annoying. I have run, rerun, and rerun all my tools again and again, but nothing is being found. Clearly, something is stil hangin out on my system.

Any other suggestion on tools to super scan and remove.. I've already deleted all temp files, BHO's, cookies, histories, passwords.....

EDIT: Okay, so I just figured out it may be the built-in search of IE.. The search field in top right corner of IE... If I type ,my search there, I get redirected when I click on a result. I think it's trying to send to me Pronto.com, or searchassist.com.. If I just go to Yahoo or Google and do the same search I can click any link and it works fine...does that make any sense?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

veritas_libertas

Ricka182 wrote: »

Ok...I'm going nuts again, and could use some help. I went to a website, which promptly installed a Trojan virus. I knew this, because my system started crashing hard. I immediatly killed the wireless connection, and ran my AV. It caught 3 virii, and removed them. I also ran Ad-Aware, and Spy-Bot, which both found a few things, and removed them. I then ran HiJack This, but it did not find anything out of the ordinary. Everything seems to be ok until... If I type something into any search engine, and then try follow a link it almost always redirects to somewhere else, and occasionally spawns a new IE window. This is obviously very annoying. I have run, rerun, and rerun all my tools again and again, but nothing is being found. Clearly, something is stil hangin out on my system.

Any other suggestion on tools to super scan and remove.. I've already deleted all temp files, BHO's, cookies, histories, passwords.....

Yeah, stay away from those kind of web sites

I'm not trying to just be funny, most normal web site you run into shouldn't be infected like that.

You probably want to wipe your PC and start over. It's really hard to fully clean a PC.

Oh, and this kinda cool for reviewing a web site:

http://www.google.com/safebrowsing/diagnostic?site=

You can place a web address behind "=" and it gives you all kinds of info on past infections, etc. If you want some amusement ask it about Facebook and Twitter.

arwes

Check your LMHOSTS file for alterations from spyware. It's a common thing.

Ricka182

I have no intention if wiping anything, unless it becomes the absolute last thing. That's almost a bigger pain than just finding a program that can indentify what's living on my laptop. I've run about 15 different programs, and they're not finding much at all.

I have checked the LMHOSTS file, the only listing is my local loopback....

I did a search on the sites I am beng redirected to, and they are known to be bad.. I can get around it by copying the URL from the search directly into the address bar, but again, pain in the arse...

I'll keep looking..I know I can fix this..at least I hope

arwes

Have you tried MalwareBytes & ComboFix? ComboFix is kind of the last resort, cause I've had it kill system files before (did a XP repair install after that though so all was good).

Kaminsky

What AV are you running ? May be time to get a decent one that will clear up all the little things like this as well.

If your searching with google, I notice that the first couple of searches returned are usually always sponsored links that do redirection but if you are still being redirected to these dodgy sites, that suggests your av hasn't got rid of that part of the infection. Also suggests you may have a lot of other nasties on your machine that it hasn't fixed too.

I have Kapersky on mine which my bank was giving away if you did their online banking. Still cheap enough in the shops though. It's an absolute golden rule with AV, you get what you pay for.

NinjaBoy

I would also say do a system restore to a day or so before you visited the website.

-Ken

tiersten

Ricka182 wrote: »

I have no intention if wiping anything, unless it becomes the absolute last thing. That's almost a bigger pain than just finding a program that can indentify what's living on my laptop.

How will you be 100% certain that you've removed every last piece of malware from your system? If you ever use your PC to do online banking or purchase items then I don't see how the time spent reinstalling would be wasted.

To scan your PC properly, you have to be booting off known good external storage like a CD containing a recovery image. If you're scanning it from the compromised installation itself then things may be hidden from you and the scanning package.

4E6564

Check your proxy settings, I've seen viruses change the proxy...anti-virus can't figure it out.

If you are using Internet Explorer just reset all of your browser settings to default, or look for the proxy setting.

pennystrader

I fix alot of peoples computers in spare time and I never just wipe it. Here is what I do and I have always gotten rid of all of the spyware.

Turn off system restore(after installing the spyware programs below run in safe mode with networking)
Place spybot, malware bytes, free super antispyware(this program lets you set your homepage as well and protects it from being hijacked) all on the machine
download autoruns from sysinternals and look at all the running processes. You can kill alot of spyware using this before running any scans.
Install AV(I like AVG) but whatever so you got an active one running.
Windows update your box fully when spyware is gone.
Surf the web using a program like sandboxie if you are not sure certain sites have spyware. This program creates a virtual sandbox that if you get infections it stays in the sandbox and not your computer. You can also do this with a virtual machine on your desktop if you are interested. I do this and works well.

I have also used a custom built bartpe cd when things were really bad as it boots in a PE environment before Windows is booted and will get rid of everything easily. Some people may have never used these kind of CD's though, but they rock the house:)

http://www.superantispyware.com/
http://www.safer-networking.org/en/index.html
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.malwarebytes.org/
http://free.avg.com/us-en/homepage#axzz0cDWIWip5
http://www.nu2.nu/pebuilder/

Good luck.

tiersten

pennystrader wrote: »

I fix alot of peoples computers in spare time and I never just wipe it.

Are you confident enough that you can say without any doubt that you've got 100% of it removed and nothing else was changed?

pennystrader wrote: »

Surf the web using a program like sandboxie if you are not sure certain sites have spyware. This program creates a virtual sandbox that if you get infections it stays in the sandbox and not your computer. You can also do this with a virtual machine on your desktop if you are interested. I do this and works well.

Sandboxie appears to just intercept certain system calls and library functions. It doesn't provide full virtualisation as evident by the fact there is a list of incompatible software. As such, there is still the opportunity for malware to break out from the sandbox. Use a proper VM if you want to pursue this method.

pennystrader wrote: »

I have also used a custom built bartpe cd when things were really bad as it boots in a PE environment before Windows is booted and will get rid of everything easily. Some people may have never used these kind of CD's though, but they rock the house:)

+1 for the various WinPE tools like BartPE.

Ricka182

Thanks for all the replies.... I'll probably have to go the wiping route it seems. I ran a bunch of tools, including the AVG full scan, Ad-Aware, Spybot, Malwarebytes, and at least 6 others... Malwarebytes seemed to find the one last infection, it removed it..said I had to reboot to complete. I did. And now it gets to the XP logo screen, and before the progress bar even hits the far right, a blue screen error flashes accrss, and the it reboots right away. I think I know why, but I'll have to plug it in at work tomorrow to double check. I don't have the HDD adapter to diagnose with another macine at home.

I keep all my "want to keep" data on a seperate partition, so as long as I can get that I'm fine. It's just a pain to reload the OS, all the apps, and updates... thanks again..

Oh, just thought of this...I tried using the recovery console, but like bad IT admin guy, I haven't used my admin password in months..and can't remember the damn thing... anyway to get around that?

JDMurray

If you use FireFox, I HIGHLY recommend the NoScript add-on to prevent JavaScript and Flash from running in your browser from untrusted Web sites. Between using NoScript, Sandboxie, Blink (eEye), an SPI firewall, and some Web-saavy, Web browsing can be both a moderately safe and useful experience.

tiersten wrote: »

Sandboxie appears to just intercept certain system calls and library functions. It doesn't provide full virtualisation as evident by the fact there is a list of incompatible software. As such, there is still the opportunity for malware to break out from the sandbox. Use a proper VM if you want to pursue this method.

Sandboxie creates a copy of the file system and registry that is changed during Web browsing and deleted after the browser (or Sandboxie) is closed. Malware thinks its infecting your actual files, but it's only touching a temporary, sand-boxes copy of them.

Sandboxie is not 100% fool-proof, but each update released makes it more compatible with other apps (it didn't play well with Blink's system protection feature until recently).

However, if possible, Web surfing only in a throwaway VM snapshot that is isolated from your local LAN seems to be the safest solution.

On the Security Now! podcast, application sand boxes are discussed in episodes #53 and #55, and Sandboxie specifically in episodes #172 and #174.

JDMurray

Ricka182 wrote: »

Oh, just thought of this...I tried using the recovery console, but like bad IT admin guy, I haven't used my admin password in months..and can't remember the damn thing... anyway to get around that?

What, something like this?

What is the Windows Vista Administrator’s Password? | TechExams.net Blogs

veritas_libertas

tiersten wrote: »

Are you confident enough that you can say without any doubt that you've got 100% of it removed and nothing else was changed?

+1 not every virus/key logger wants to announce its presence.

Ricka182

JDMurray wrote: »

What, something like this?

What is the Windows Vista Administrator’s Password? | TechExams.net Blogs

Hey , I remember reading that article a couple years ago...and I remember commenting on it... too bad I'm using XP still.. That Sandboxie thing looks cool, I'll have to check that out for usre once I get the laptop back and running...

Ricka182

Ok...so this is going to be a longshot but.....

I've figured out that somehow, the iastor.sys file has been corrupted on my laptop. In fact, it's missing..

Is there anywhere I could get a copy of that file? I've already copied the important data to another drive, so now I just want to play and try to fix the original.

I have a feeling that it is hardware specific, but I still want to give it a shot...

tiersten

iastor.sys is part of the Intel Matrix Storage Manager driver. You should be able to download and extract the necessary file from the driver packages on intel.com

dadaji

check out Bleeping Computer - Computer Help and Discussion before wiping out anything. Those guys walked me through when my desktop was infected and I had the same problem about hijacking web search. It might take some time for them to reply but be patient. Its better than wiping everything out.

Ricka182

tiersten wrote: »

iastor.sys is part of the Intel Matrix Storage Manager driver. You should be able to download and extract the necessary file from the driver packages on intel.com

Trying that now..thanks!

dadaji wrote: »

check out Bleeping Computer - Computer Help and Discussion before wiping out anything. Those guys walked me through when my desktop was infected and I had the same problem about hijacking web search. It might take some time for them to reply but be patient. Its better than wiping everything out.

I got some good advice on scanning it from BC. I'll ask for more help there if the above does not work..

Ricka182

Okay, so I was able to get the Interl Storage files copied over, but it still does not work. I get the same thing... I have one other option..I'm going to try use one last utility someone at work is getting for me.. If that fails, I'll just wipe and reload the OS.

My data is safe, so that was only concern..

Many, many thanks to all those replied. I have learned a good lesson in keeping admin passwords, current backups, and non-expired AV and anti-malware on my machines...

JBrown

last suggestion, Stay AWAY FROM AVG. Did i just say STAY AWAY FROM AVG. That is the worst free anti-virus out there.
Get yourself avast home edition and it comes for free if you register for the key, or avira, but STAY AWAY from AVG.

tiersten

Just trash it and do a full reinstall. You're in an unknown configuration at the moment. Removal and detection of malware isn't foolproof. There have been many cases of false positives in vital system files which have caused major issues when "cleaned" or deleted. Cleaning files as well may not be possible.

In the case of iastor.sys, I expect that the scanning tool used decided that it was malware when it wasn't actually and has broken your Windows install since iastor.sys is the driver for the HD controller. Malwarebytes warns that the GMER rootkit tool gives many false positives and not to actually take any action without advice.